I had to clean a machine using the following instructions : Find and Stop Antivirus 2008 Processes: Antvrs.exe AntvrsInstall.exe AntvrsInstall[1].exe Win Antivirus 2008.exe av2008xp.exe
Find and Remove Antivirus 2008 registry values: HKEY_CURRENT_USER\Software\Antivirus HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Antivirus" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "3P_UDEC" Software\Microsoft\Windows\CurrentVersion\RunOnce\3P_UDEC Microsoft\Code Store Database\Distribution Units\3BA4271E-5C1E-48E2-B432-D8BF420DD31D Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Antivirus2008y SoftLand Ltd\Antivirus 2008 XP Find and Delete Antivirus 2008 Files: AntiVirus 2008.lnk Antvrs.exe AntiVirus 2008.lic AntvrsInstall.exe AntvrsInstall[1].exe Uninstall Antivirus.lnk Antivirus Pro 2008 Uninstall Antivirus 2008.lnk Win Antivirus 2008.exe av2008xp.exe s9201 Todd Lemmiksoo Network Administrator All-Mode Communications, Inc. 1725 Dryden Road Freeville, New York 13068 (607) 347-4164 x440 1-877-ALLMODE (toll free) http://www.all-mode.com <http://www.all-mode.com/> ________________________________ From: Durf [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2008 2:52 PM To: NT System Admin Issues Subject: Re: "Vista Antivirus 2008" malware removal Yes, that was all done by the previous tech before I even got in front of it. It hasn't cured it. I'm a little beyond the first Google hit by now. :) It's quite mysterious. I'm suspecting there's a fake driver installed somewhere. -- Durf On Thu, Aug 14, 2008 at 2:46 PM, Carl Houseman <[EMAIL PROTECTED]> wrote: #1 match for "Vista antivirus 2008" gets you this: http://www.411-spyware.com/remove-vista-antivirus-2008 If after that it's not working, I'd try a Winsock repair. Carl From: Durf [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2008 2:40 PM To: NT System Admin Issues Subject: Re: "Vista Antivirus 2008" malware removal Yes, I know by rights it should be flattened and paved and I intend to do so, but at this point I'm just curious about how it's getting done. Unfortunately time hasn't allowed for me to do a bunch of poking around with Process Explorer and the like. Mostly I like to see how these things work so as to help identify them in the future. -- Durf On Thu, Aug 14, 2008 at 2:31 PM, Ziots, Edward <[EMAIL PROTECTED]> wrote: Not seen this particular piece of malware, but in the grand scheme of things, if the PC got infected, then can you really trust it by just uninstalling the AV. You could use Procmon and Filemon/Regmon and find out which dll's ( Its probably a dll hooked into IE or other utilizes which means its got some root-kit type action) and try and figure out what is doing the re-direct, but the best issue would be use a boot and nuke CD and wipe the entire disk clean ( 7 rounds, 3 passes) and start new. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 ________________________________ From: Durf [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2008 2:26 PM To: NT System Admin Issues Subject: "Vista Antivirus 2008" malware removal -- -------------- Give a man a fish, and he'll eat for a day. Give a fish a man, and he'll eat for weeks! -- -------------- Give a man a fish, and he'll eat for a day. Give a fish a man, and he'll eat for weeks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
